Non-human identity: what it means for your access reviews (on Azure)

A clean access‑review process knows exactly which service principal touched which resource and when, without any mystery. Effective access reviews on Azure require that each automated request be attributable to a specific pipeline or job. In many Azure environments the reality looks very different. Teams spin up service principals, grant them broad Contributor or Owner roles, and then stash the client secret in a repository, a CI/CD variable, or a shared vault. Those credentials are copied across pipelines, reused by multiple services, and rarely rotated. When an auditor asks for an access‑review, the answer is a list of groups and role assignments, not a record of which automated job actually performed the operation. The result is a noisy spreadsheet, a lot of guesswork, and a high risk of orphaned permissions.

The core problem is that non‑human identities are treated as static credentials rather than as request‑bound actors. Azure’s native RBAC can answer “does this principal have permission?” but it does not answer “who invoked the request at this moment?” Without a control point on the data path, every request flows directly from the service principal to the Azure resource manager, bypassing any real‑time policy enforcement. You can still create a service principal, you can still assign it a role, and you can still run a job that talks to Azure, but you gain no audit trail, no inline masking of sensitive fields, and no opportunity to require a human approval before a risky operation.

Why non‑human identities break access reviews

When a service principal is used as a shared secret, the following gaps appear:

• Missing per‑request attribution. Logs show the principal name, but they do not show which pipeline, which job, or which team initiated the call.
• Stale permissions linger. Because the credential is long‑lived, the principal often accumulates more roles than it needs, and revoking a role does not automatically invalidate existing sessions.
• No inline protection. If a job accidentally runs a destructive command, there is no gate that can block it before it reaches the target service.
• Hard to certify compliance. Auditors need evidence that each automated action was authorized, but the evidence lives only in scattered logs that are difficult to correlate.

These issues make the access‑review process a manual, error‑prone exercise that defeats the purpose of having fine‑grained, non‑human identities in the first place.

How hoop.dev fixes the gap

hoop.dev is an identity‑aware, layer‑7 gateway that sits between any non‑human identity and Azure resources. It acts as the only place where traffic is inspected, policies are enforced, and evidence is recorded. Because the gateway is the data path, every request must pass through it before reaching the Azure API.

• Just‑in‑time access. hoop.dev can require a short‑lived approval for high‑risk operations, turning a static service principal into a request‑bound actor.
• Command‑level audit. Each session is recorded and stored outside the target system, giving you a replayable log that ties a specific job or pipeline to the exact API calls it made.
• Inline data masking. Sensitive fields returned by Azure services can be redacted in real time, protecting secrets even if a downstream job logs the response.
• Policy enforcement. Dangerous commands can be blocked before they are sent to Azure, preventing accidental or malicious actions.

Because hoop.dev holds the credential for the Azure connection, the calling service never sees the secret. The gateway validates the caller’s OIDC token, extracts group membership, and then decides whether the request is allowed, needs approval, or should be recorded. This architecture satisfies the missing pieces of an effective access‑review program: you now have per‑request evidence, you can enforce least‑privilege at the moment of use, and you can demonstrate to auditors that every automated action was reviewed and logged.

Practical steps to get started

1. Deploy the hoop.dev gateway in the same network segment as your Azure resources. The quick‑start guide walks you through a Docker‑Compose deployment that includes OIDC authentication out of the box.

2. Register each Azure service you need to protect as a connection in hoop.dev. Provide the necessary credential (client ID and secret or a managed identity) to the gateway; the calling service never touches it.

3. Define policies that tie Azure role scopes to group membership and that require approval for privileged actions such as deleting a resource group or modifying IAM policies.

4. Update your CI/CD pipelines to point at the hoop.dev endpoint instead of the Azure endpoint directly. The client libraries (psql, az cli, etc.) work unchanged because the gateway speaks the same wire protocol.

5. Review the recorded sessions in the hoop.dev UI or export them for audit. The logs include the caller’s identity, the exact request, and any approval workflow that was triggered.

For detailed guidance, see the getting‑started documentation and the broader feature overview at hoop.dev/learn. The repository contains the full source and example configurations.

FAQ

Do I need to change my existing Azure RBAC assignments? No. hoop.dev works alongside your existing roles. It adds a request‑time check and audit layer without removing the underlying permissions.

Will hoop.dev add latency to my API calls? The gateway adds a small, predictable network hop. Because it runs close to the target service, the impact is minimal compared with the security and compliance benefits.

Can I still use managed identities for the gateway itself? Yes. hoop.dev can be configured to authenticate to Azure using a managed identity, keeping the credential surface area small.

Ready to see how a layer‑7 gateway can turn noisy service principals into a clean, auditable access‑review process? Explore the code and start contributing at GitHub.